Archive for the ‘Forensics’ Category

A minion of mine was tasked with choosing a new story about INFOSEC this week to talk about in our weekly threat intel calls and chose a story about a cyber stalker who was in the news this month. Ryan S. Lin, a graduate of RPI, has been charged with numerous counts that involve everything from cyber stalking, to child pornography, to wire fraud. Lin plead guilty on October 6th and the story featured the affidavit by the FBI special agent who worked the case. This is a long and twisted tale of stalking a former roommate online that spiraled out to numerous people around that target individual as well. The psychological damage to the parties involved must be pretty bad and the whole affair is quite messed up, but, I wanted to share this all with you in the INFOSEC field because of the work the FBI and local PD in Waltham, Newton, and other areas that these events took place in. I also wanted to cover some of the OPSEC and psychology as well concerning this case and the old school detective work done by the FBI.

Ryan Lin, the stalker in this case, seems to have been a mentally disturbed individual showing signs of that instability going all the way back to his high school years in Connecticut. His abuse of people online and off seems to stem mostly from his inability to form real relationships with people and likely has some sort of personality disorder. However, this is no excuse for his actions and as yet I have yet to hear that in his intake into prison has there been any kind of psychological evaluation of him. If indeed he does not have some mental disorders, then we can just chalk his actions from his teens on in this regard as just a malignant personality with a bent on what seems to border on “incel” behavior.

In the case that brought him to court he was charged with cyber stalking and what that consisted of is the following;

He accessed his female roommates Macbook and her Google drive

He began a campaign of abuse online that included

Impersonation of the roommate sending lewd and threatening texts to family, friends, and coworkers

Creating multiple persona’s online to directly harass the roommate

Sending child pornography

Sending threatening texts (rape, gangbang, death threats)

Sending threatening texts (bomb threats) as the target roommate)

Sending messages alleging as the roommate that she killed people’s pets

Lin used the usual means to try to cover his trail online in that he used TOR, VPN services, and anonymous text services as well as cutout accounts online created using all these tools. All of these efforts though only delayed his discovery as the assailant because in the end, his actions directly led the FBI to him outside of the technological means of covering up his tracks. It is quite clear when you read the affidavit by the special agent involved in the case, that Lin, for all his security measures, was incapable of being sagacious enough to leave real doubt that he was in fact the attacker.

Lin used the roommates diary, which was on the google drive accessible from her unsecured laptop to send direct commentary AS HIMSELF citing the diary which she had not shared with anyone

Lin was incapable of acting out about this roommate and seemed fixated on her while in the house they shared

Lin’s actions started once she refused to sell him pot after the first time she did ended up with him accosting her in her room at 3am out of his mind from drugs

Lin was incapable of separating his dual lives/actions online where he had dialog about the very same VPN services he used to carry out the attacks as well as taunt slyly about the ongoing spate of bomb threats ongoing in Waltham and Newton where he lived

It is my belief that Lin, a student of RPI and a computer programmer was mentally impaired enough to be unable to separate these activities from the rest of his online and offline life in a manner that befits what is called in criminal profiling as “A disorganized personality” which led to his downfall. Overall, the problems of OPSEC today that we in the community often talk about with regard to online actors can be clearly seen failing in this case. I have said many times in my blog and elsewhere that OPSEC always will fail because of human nature and in some cases that human nature (or un-diagnosed mental illness) will eventually give you up to the dogged investigator.

In the Lin case, it is important to note that it wasn’t JUST the evidence collection of IP addresses that led to Lin in the end but instead it was good old fashioned gumshoe interviews and forensics that did. When the FBI went to Lin’s employer after it became clear just from circumstantial evidence that he was a prime suspect they learned that he had just been let go. It seems that Lin had been acting strangely at work as well and when he was let go, he asked if he could log out of “personal accounts” on the laptop. The company declined that and then turned over the laptop to IT for re-image.

Now I know what you are thinking… It got re-imaged and game over right?

Nope.

The FBI was able to get the laptop either by warrant, or I think more likely, was just handed over after being asked by the employer. The laptop had indeed been re-imaged but FBI forensics was able to pull incriminating evidence from the slack space even afterwards. What they found was a number of data points that showed Lin had been using the corporate asset for his attacks on the roommate.

VPN software and traffic

Browser cache data

Logins/software for the anonymous texting service used in the threats (bomb threats too)

It was this evidence that was key that led the FBI to marry up this information along with his online posts on Twitter and Facebook as well as the VPN logs that led to his arrest. See kids, if you use a VPN there is a high chance that your raw IP is going to be logged to your VPN pool address for the times you were online and used as evidence. Many Anon’s seemed to have learned that lesson but I guess everyone has yet to catch up. Lin, a computer science grad from RPI thought he could hide his traces but even he was wrong.

Take heed those who want to do bad things because eventually you will screw up and you will be caught.

In closing I just wanted to share this with you all as a lessons learned and as an appreciation of the world of digital forensics. As someone who does forensics as part of my daily job, I have to tell you all it is one of the more interesting parts of my day. I do love uncovering evidence and creating narratives that lead to wrongdoers getting their come-uppins as they say. I also wanted to once again point out that there are many avenues to investigation that even someone as a digital forensics practitioner, can employ in their day to day. Consider the psychology of the actor and their patterns of behavior. Often times I have a portion of my mind that is working that angle as I work on a forensic image in cases.

What actions would this person take given what I have seen so far?

What are the motives?

How would I do things were I them?

All questions that should be asked when performing work like this. It may lead you to some answers that you can back up with forensic evidence. All of this plays out as well with Threat Intelligence as well and intelligence analysis. Look at the larger picture kids, just don’t get buried in the bits and bytes.

OCTOBER SURPRISE! I’MA OPENING A CAN OF NOPE SAUCE ON GUCCIFER 2.0

You all have likely seen the news since October 4th where the Gucci boy dropped another dump of dox on Hilly and Bill. Yo yo yo though this dump isn’t what he claims it is. Of course in the newsreports the Clinton camp denied the files as being theirs and on the face of it with the screenshots given, I can agree to agree. However in this world of of insta media fuckery I wanted to follow up with some forensication on this shit. So I downloaded the “dox” and I did some metadata forensics. What I did it seems the media has failed to do once again, I mean really, is it so fucking hard for the media to like do due diligence and shit?

Anyway, the bulk of the docs were written by Miss Kurek of the DCCC 499 of them to be specific, I did not go into the stats on the excel files and pdf but if you Google up Missy (kurek) she is a Pelosi minion and has a position at the DCCC. So that right there made me say “hmmmmmm” I went further though and pulled the PC user/machine data that could be captured from the documents in question. What I found was that none of these documents were written on any asset with the name “clinton” or “clintonfoundation” at all. In fact, all of the machine names involved just pretty much said “pc” and a user name, so no real enterprise networking here kids.

Furthermore, when you pull out the network data all you see are DCCC servers. So unless the Clinton foundation is running all their shit out of another bathroom server at the DCCC this ain’t the dox Gucci was promising. So that leaves me to wonder just what the hell is up with ol Gucci boy? Are the Russians running out of shit to post or is this cat going rogue on them? Perhaps the Gucci cutout is now believing his or her own hype? This dump though casts a doubt on everything else he or she may put out in the future and if it was an “off the rez” situation then he or she may be in for a visit from the GRU in the near future.

Anyway, public service done here… You can thank me at any point Grandma Nixon!

Oh, and yeah, you newsies, fucking do your homework!

K.

DATA

Users

User List

Emails

Email addresses found in metadata (doc/docx/pdf/xls/xlsx)

Networks

Networks and servers found in metadata

Clinton Foundation Metadata

Clinton Email located

I found two emails for Clinton.com in two docs but nothing else.

UPDATE!!

Evidently I was a bit hasty in saying no journo’s had done due diligence. I have been informed that The Hill and Ars did look at the metadata by clicking on “properties” Good on them! Now, how about some real forensics.. I mean it did not take long….

*post written to Ghost Dog OST by RZA*

Rate this:

On Sunday Defcon 20 had a talk that I had previously written about on the idea of using statistical analysis of word use to determine psychopathy in individuals online. As I sat through the talk and steadily watched people get up and leave I too had the urge to walk away as well. However, I had a mission and that was to confirm if there was any evidence that would say to me this was a viable means of detection for psychopaths.

What I came out with, after many slides of numbers, was “nope not really” Which, I pretty much had thought before. There are just too many variables to this type of venture and you would, in the end, need to have a trained psychoanalyst to talk to the individual to determine whether or not they are a true psychopath.

Sorry Sugg.. It was an interesting idea and I am wondering just where this will go if the author of the original paper tries to expand upon this process. You see, for this to work online possibly, is that the trained individual would chat with the “patient” or “UNSUB” as the case may be, to ask specific questions to elicit responses. See, that would work I think, but it is a manual process not a big data solution. So, while it was an interesting trip into what psychopathy is and possibly how to spot it in word use, it was a failed experiment in my book.

Now, another twist on this idea might be to take the transcripts of anonymous and other IRC chats and wash that through your program… There’s a lot going on there mentally and might show some traits, but, are they really suffering from some sort of psychiatric illness or are they just maladjusted? This has been something I have written about before an the vernacular used as well as the mindset that seems to be prevalent warrants some looking at perhaps.

Maybe next year?

Overall though, I surely hope that the governments and law enforcement bodies out there do not take up this idea and begin to mine people’s chat logs for psychopathy

*shudder*

Ding Dong! It’s the forensic psychiatrist.. We saw your tweets and thought we’d have a chat? What? these cops? They’re just here to visit too!

Preamble:

I recently posted about the Hidden Wiki and its prevalence in hosting paedophilia content. This post may or may not have left an impression on some of the anonymous collective to take action and perhaps sow good will for their group by hacking into the “Lolita City” site within the DarkNet and releasing thousands of users email addresses and personal data (such as it is on such a site) for the Internet to feast upon. The Anon’s are doing this for their own reasons, but the upshot of it all is that they are causing the paedophiles pain in making it hard for them to get their content as well as potentially outing them online as purveyors and consumers of this wretched content.

Since my post applauding them and giving them some direction as to how to become more of an intelligence gathering apparatus for the LEO community, some in the infosec world have come forward and voiced concerns about this line of thought. All of the talk about the morals, legalities, and philosophical aspects of Anonymous undertaking such actions has gotten me thinking quite a bit.It all raises some interesting questions and philosophical challenges.

Anonymous and Digital Vigilantism:

What I think that most people with reservations about Anonymous taking up such operations as the DarkNet op have are that these people are for the most part kids without training and without any kind of oversight. Oversight in that they could get too big for their britches (one could say that many already have) and think that they are invulnerable to attack never mind the respective laws of our society. That said, it would seem that Anonymous, Antisec, and LulzSec have already decided to take up the mantle of vigilante’s already. However, the targets have been, for the most part, varied parties that could be seen as hapless victims or as malefactors, it all depends on the point of view really.

In the case of Scientology, well, aside from religious freedoms (trust me, they are not a religion) generally the Scientologists have been pretty much seen as getting what they deserved. Today though, years later, Anonymous has begun to take on the governments of the world as well as the likes of Paedophiles online. Once again, generally, people see what they want to concerning whether governments are good or bad. Paedophiles though, pretty much are outlawed universally. So, when Anonymous decided to attack, I could not fault them one bit. However, I could perhaps fault their methods.. Only in that they were bound to only let the paedo’s get away in the end.

I have said it before and I will say it again.. “One man’s freedom fighter is another man’s terrorist” It all depends upon your perspective really. While I do not think all of their targets have been chosen wisely, I cannot fault the true believers out th4ere that they are doing something out of conscience and good. This is not to say that a certain element of the movement is in fact just in it for the lulz (i.e. Antisec and LulzSec) There certainly are factions at play who just want to see the world burn as well as garner themselves digital street cred.

Overall though, the term Vigilante denotes a person or persons (committee’s) who dole out justice summarily when the law is seen as ineffective by them. In this case, the Anon’s have taken up the mantle of vigilante in order to rid the DarkNet of paedophile content because law enforcement seems unable to effectively. Now this is also the crux of the issue in another way, as the police generally are not allowed to hack into sites and dump the dirt so to speak.. The Anon’s are unhindered here. Just as they have felt the same way about other operations where they have denied service to corporations (likening it to a digital sit in) they have crossed the line of the law, but, their methods and motivations are free of it… Until they get caught that is.

The essence of the thing is this.. “Don’t do the crime unless you can do the time” If they believe in it strongly and act upon it, then they must accept the risks of being caught and incarcerated. So far, much of the motivation I have seen by a good deal of anon’s has been motivated by convictions and beliefs. All others have been for Lulz, which is what made LulzSec even more of a problem as they just did not care. The current Antisec movement that LulzSec begat also seems to lack the conviction of their beliefs and seems more driven by ego than anything else by their writings.

And this is the difference between the chaotic Joker like actors and the Batman types.

Anonymous vs. PLA, vs. Patriot Hackers:

Pulling back a bit now, I would like to look at the macroscopic view of Vigilante behaviour versus nation state sanctioned or perhaps, a better word for it would be “condoned” actions and groups. I have written in the past about groups like the Honker Union in China as well as the colourful character known as th3j35t3r. both of these entities have had an effect on the collective consciousness concerning digital vigilante justice and I think it important that they form the contextual base for Anonymous’ actions in Operation DarkNet.

First off, ALL of these entities have been doing what they do (Jester DDOS of Jihadi sites and Anonymous, Honker, hacking against the enemies of China, and Anonymous, attacking sceintology, the gov, and paedo’s) with a mind toward doing “good” In the case of Jester, he thinks DDoS-ing jihadi sites out of a patriotic bent that will stop them from communicating. In the case of the Honker Union, they are patriots to their homeland and attack others who would do their country slight or harm. Anonymous though, started out of /b/ … Which really is a band of miscreants for the most part. However, a core group decided to take on the mantle of doing right somewhere down the line and we find swaths of them today supporting Occupy Wall Street and other political agenda’s.

The basic idea here is that they are all motivated by a belief in some greater good.. Mostly. I am sure there are on individual levels, many more motives (ego, greed, ego… the list goes on) but I will just put it to a gross generality that these people want to effect some kind of change.

At least I hope that this is the case…

What is really different though is that in the case of Jester and the Honker Union, they both are condoned if not outright supported efforts by the countries they reside in. In the case of the PLA and the Honker, there is clear connection between the state and their actions. In the case of Jester, there are allegations (made by him) that his is state sponsored.. But, I think more to the point he is condoned. Either way, the Anon’s may indeed be getting some support (moral or other) from state sponsors and not even know it. In the case of Anon, they could just become the tool of another nation state and not know any better.

Which is pretty scary.

All of these entities though, have had a greater or less effect upon the internet these last few years through their online shenanigans via hacking. The secret is this, they are just the first. There will be others to be sure.. The genie is out of the bottle on this one.

Anonymous vs. LulzSec & Antisec:

Conversely, we have LulzSec and Antisec, who both wreaked havoc on the corporations and the police of the world lately. Their reasons for doing so pretty much have been stated as “because we are bored” At the core though, there seems to be a couple of motives here from postings online. One is the afore mentioned Lulz, the other, seems to be a kind of abject hatred of authority and police. In recent hacks on the police though, there seems to be a bent toward supporting the Occupy movement as the police have had some transgressions against them. So.. They hacked the police and dumped all their data to spite them. Frankly, I see no value to this and once again, even if motivated by supporting the movement, it has no real effect on the police other than to make them more angry and reactive against the protesters.

Anonymous on the other hand has had its lulz, but seems to be growing up a bit and maturing. The social conscience of anon has begun to take shape and within it (movement wise) may well be the lasting component that will be its Raison d’être in the end. Time will tell though, and I hope that this is the case more so than just a bunch of malcontent’s seeking attention and excitement.

The Hand Wringing by The Infosec Community At Large:

Alright, back to the hand wringing and the moralizing post the Op DarkNet…

Certain people in the community wrote that while the empathised with what Anon was trying to do with Op DarkNet, they felt that these people were not the folks they would have doing this to start. Most of this comes from the fact that many of the players are not trained investigators and not LEO’s. I can agree with this from the perspective of legal proceedings later on. If Anonymous hacks a server and then dumps data, it could have an effect on the court case from a few perspectives;

Contamination: The defense could claim that the server was hacked and the data planted

The data could have indeed been tampered with by anon’s

The backend of the server/dbase could in fact be shared and all those who share could be swept up in the legalities/implications

The hack is enough to raise reasonable doubt

So, yes, it could be counter productive to have a vigilante force actually hack a system and report it to law enforcement. However, I would advocate that in the case of Anonymous and the paedo’s at the least, they not just hack and dump data, but instead give that data to law enforcement to start an investigation. For that matter, if Anonymous just located the servers and authenticated (sans hacking) that the content was there, they could in fact just tip off the police.

And this is at least part of what they did with Lolita City in the DarkNet. They tried to locate the server location and this alone could be a great boon for the authorities.

On the other hand, there are moral/ethical objections on the parts of some who think that perhaps letting Anonymous do this type of thing, or even encourage it is setting a bad precedent. To them, Vigilante’s are outside the scope of good behaviour and the law.. They cannot be tolerated. Personally, I think that that is a sanctimonious load of crap, but, that’s just me.

Sometimes when the system cannot function other means need to be taken to effect change. In this case, within a network that is anonymized and the authorities have had little success in catching anyone trading in paedophilia, I see no harm in Anonymous outing them.. Though, I would rather they just passed the intelligence to the LEO’s instead. It is my opinion, that if done correctly, intelligence gathering of this type with a tip off to the police has a better chance at actual arrests and convictions than to just let them go on about their peddling of child pornography.

Just one man’s opinion…

Philosophical and Ethical Stands On Being The Digital Batman:

This is the philosophical and ethical standpoint I take in being the digital Batman. Strict utilitarianism dictates that maximizing overall good is key. In this case and perhaps others, the taking down of the paedophile’s content and capturing their login credentials is enough “good” to allow for the action to be seen as acceptable. This is really the basis of The Batman’s ethics in the comics and ideally, for me on this particular incident with Anonymous.

Now, this does not mean I agree with all of their operations as well as certainly not agreeing with the bulk of the actions carried out by the Antisec movement. However, the perspective is the key I suppose. It’s a slippery slope I admit, but, in this case of OpDarkNet, I agree with the greater good being served in this case.

Here we have the Deontologists like Sam Bowne. Deontology is a nice thing to cling to the ethical rules of a governing system of laws. However, it seems to me, and others here, that this system of laws is not working against these offenders in the hidden wiki. Sure, you could say that the LEO’s have ongoing investigations, but, just how many busts have there been as opposed to the massive amount of content located on the hidden wiki and within i2p, Freenet, and TOR?

So far, I have not seen law enforcement really winning this battle.

Oh well, the Deontologists have their point of view and others have theirs. The key here is that Sammy and others like Packetknife are entitled to their point of view. They are right for themselves, and that is the issue with all philosophy and ethics arguments. Like I said, it’s all about your world view. However, I do not ascribe to a moral absolute unlike someone like Sammy.

There are no right answers. There is only what you are willing to accept for yourself.

Legal Aspects of Digital Vigilantism:

The US code on activities related to sexual exploitation of minors alludes to the fact that one has to “knowingly” access such content and to have more than 3 pieces of “content” to be considered guilty of child exploitation/pornography. This of course also alludes to the trafficking thereof etc etc in legalese. Where this is important for the digital Batman is where there are caveats.

(c) Affirmative Defense. - It shall be an affirmative defense to
a charge of violating paragraph (4) of subsection (a) that the
defendant -
(1) possessed less than three matters containing any visual
depiction proscribed by that paragraph; and
(2) promptly and in good faith, and without retaining or
allowing any person, other than a law enforcement agency, to
access any visual depiction or copy thereof -
(A) took reasonable steps to destroy each such visual
depiction; or
(B) reported the matter to a law enforcement agency and
afforded that agency access to each such visual depiction.

So, as I said before, if you are trying to take one of these sites down, then do turn off your browser’s images capabilities.. Hell, why not just use Lynx for that matter so as to negate the issue. However, there is a key point here that you all should take into account. It’s the bit about making the LEO’s aware of the content. This is what I was trying to get at before. If Anonymous or anyone is going to go after this content, then it would be best if you tipped off the LEO’s to the site and the content. Now, the above statement implies that if you make the tip, then you are going to let the police have your system to look at… And we all know Anonymous is not going to do that. So, just be judicious about your tip off’s to the authorities. Do your homework and dump the data to them directly, not on Pastebin.

Of course, then there are the issues of hacking a system in the first place… Well, in the DarkNet, the only thing as I see it that is key would be not leaving a trace that you were there. You know, kinda like the whole hiking ethos of only leaving footprints.. But in this case I would suggest not even a footprint should be left behind. It seems to me, that if you hack a paedo site, even with good intentions, you could get the double whammy from the authorities of hacking as well as accessing child porn…

And that could really be problematic.

So, in the end, I circle back to recommending that you become intelligence gatherers and locate the sources to report. If you locate them, and you get some good details for the authorities without having to SQLi them, all the better. You will be doing a good thing AND you will be satisfying the Deontologists in the room.

My dear dear lord,
The purest treasure mortal times afford
Is spotless reputation—that away,
Men are but gilded loam, or painted clay.
A jewel in a ten-times barr’d-up chest
Is a bold spirit in a loyal breast.

Mowbray, Richard II Act 1 Scene 1

As fate would have it, today I saw a tweet that said Symantec had a paper coming out on “Stuxnet II” I surfed on over and read the document and what I was left with was this;

“We rushed to judgement here and wanted to get this out to get attention before anyone else did.. Here’s STUXNET REDUX!”

Now, sure, the code base appears to be Stuxnet’s and yes, there are similarities because of this, however, calling this Stuxnet Redux or “Son of Stuxnet” is just a way of patently seeking attention through tabloid style assumptions put on the Internet. Let me pick this apart a bit and you decide…

Code Bases and Re-Tasking

So ok, the coders seemed to have access to the FULL source of Stuxnet. It has been out there a while and surely some people in the world of “APT” have had access to this. It’s not like it was some modified version of Ebola kept at Sverdlosk at Biopreparate. Had you even considered that it was released on purpose as chaff to get others to tinker with it and thus middy the waters?

I’m guessing not from the report that I read, hurried as it was and full of conclusions being jumped to. In fact, Symantec even said that they had not fully audited the code! C’mon…

Alrighty then, we have a newly released and re-taskedversionof Stuxnet that turns out to be just a recon tool to steal data. I find it interesting that they make so much of this and intone that the coders of the original are up to shenanigans again but fail to even beg the question that it could be anyone with the requisite skills to cut into the original code (after it had been laid out for everyone to look at) and re-task it with a new time frame. Please note that there are not the original 0day attacks and multiplicity factors of infection vectors as well as exfiltration schemes.

So, not really so complicated as I see it.. You?

The original code/malware was very targeted and this, well this is really just like any other APT attack that I have seen out there.. In fact, in some ways its less clever than the APT attacks out there from the past.

So, really Symantec, take a step back and mull this all over again before you release.. Say.. Just who else had the code and you were worried about that would steal your thunder here?

Pathetic.

RATS, RECON, & Targets

Speaking of the infiltration/ex-filtration picture, I see from the report that they are linking the RAT to the original worm but have not real proof that it came from DUQU! It was found in situ on the box that they analyzed and make the assumed statement that it was “likely” downloaded by the malware via its comms to the C&C.

Once again I say “Evidence Much?”

You have no basis other than assumption but you make no real clarification on this. Though there is mention of a DQ.tmp file which I assume means that it came from the RAT.. But.. Proof again please? It’s the little things that count here and I see a great failure in your haste Symantec.

Another thing that is bugging me now is that the news cycle is making connections to DUQU with attacks on power grids.

HOLY WTF?

Symantec, DO YOU HAVE EVIDENCE of what companies were “Targeted” by this malware re-hash? If so, you should come out of the closet here a bit because this is BS unless you have proof. I of course understand that you cannot name the companies, but CONFIRM OR DENY that they were all Power companies before making claims and allusions that the media will just shriek at the top of their lungs placing more FUD on the headlines.

Or… Wait.. Now that might be an advantage to you guys huh?

Ponder.. Ponder…Ponder…

Well played….

What it all boils down to for me is this:

Someone re-tasked the malware and stuck a common RAT in it. Until you (Symantec) come up with more solid evidence of more interesting and technical attacks, then I call bullshit on you.

What? No Mention Of APT Here?

Meanwhile, I see that people are assiduously avoiding the APT word… Hmmmm What does this attack really remind one of… APT!

There, I said it.

APT attacks:

Infiltrate

Seek data

Exfiltrate data

Keep access

And therein lies the rub. DUQU has a 36 day shelf life. Now, this is good from a foot-printing level AND could be excellent for setting up the next attack vector that could include the component of sustained access. So, the reality here for me is that this was a foot print attempt on whatever companies it was set upon. It was a recon mission and that was all.

NOT STUXNET..NOT SON OF STUXNET!

Had you called it a Stuxnet like attack re-purposing code then I would have had less problems with your document Symantec. Instead we got FUD in a hurry.

Baseless Claims: Pictures Or It Never Happened!

Finally, I would like to see Symantec spend some more time here as well as see others pull this all apart. I want to see more proof before you all go off half cocked and get the straights all upset over an attack that may have nothing to do with the original.

In my last couple of posts I took a look at what has been going on with Anonymous and HBGary Federal. Within those posts, I began musing on just how decentralised Anonymous really is. By looking at the overall picture of how Anonymous seems to work on the face of it, you might think that they are just a fluctuating group of online personae who sign up for certain operations that they desire to devote time to. However, no matter how many times I look at the big picture, I still see an underlying structure(s) that potentially have more static features that can be analysed and thus, allows for the potential of there being pseudo-anonymity.

Now, this may rankle some within the anonymous camp and likely will cause some comments here but, this is something that interests me as well as really is an academic thought experiment as opposed to Aaron’s little projects. So, you anon’s out there, take this post and my musings as food for thought as you go on about your anonymous lulz. I am not searching you all out to “out” you, just looking at an interesting problem.

With that said, lets move on to my theories.

Motivations, Drivers, Flocking, Herding, and Convergence Theory:

Before I go into the infrastructure of Anonymous as I see it, let me first go into the psychology behind the human side of Anonymous. This bears directly on the infrastructure due to the fact that humans online comprise the entity known as Anonymous. It is the psychology behind that human element, that give rise to the means by which they are carried out in a social media format. (i.e. the internet/IRC/Social media)

Human motivations can and are myriad, however, there are some basic desires that are fulfilled by action as a cohesive group. These desires or goals take shape in differing ways. In the case of Anonymous, they have aligned themselves with a “swarm” mentality, and I ascribed to that at first, but, after thinking about it quite a bit, I have come to the conclusion that a swarm does not really fit the patterns of behaviour exhibited by Anonymous. A swarm implies lack of thought and instead just reaction. The examples used before of bee’s or ants are good ones to use to show in fact, Anonymous does not resemble them. Instead, the Anon’s all have motivations as a whole and on their own individually that motivate them to act as they are. In this simple fact, the aspect of having self awareness and motives, shows that the allusion to swarming is a fallacy.

Instead, I propose that since humans are behind the actions of anonymous, and comprise its ranks, that other theories apply to them that come from a more humanistic approach, much of it being from psychology. The following theories apply as I see it.

From Wikipedia

﻿Herd behavior in human societies
The philosophers Søren Kierkegaard and Friedrich Nietzsche were among the first to critique what they referred to as “the crowd” (Kierkegaard) and “herd morality” and the “herd instinct” (Nietzsche) in human society. Modern psychological and economic research has identified herd behavior in humans to explain the phenomena of large numbers of people acting in the same way at the same time. The British surgeon Wilfred Trotter popularized the “herd behavior” phrase in his book, Instincts of the Herd in Peace and War (1914). In The Theory of the Leisure Class, Thorstein Veblen explained economic behavior in terms of social influences such as “emulation,” where some members of a group mimic other members of higher status. In “The Metropolis and Mental Life” (1903), early sociologist George Simmel referred to the “impulse to sociability in man”, and sought to describe “the forms of association by which a mere sum of separate individuals are made into a ‘society’ “. Other social scientists explored behaviors related to herding, such as Freud (crowd psychology), Carl Jung (collective unconscious), and Gustave Le Bon (the popular mind). Swarm theory observed in non-human societies is a related concept and is being explored as it occurs in human society.

Information Cascade:

An information (or informational) cascade occurs when people observe the actions of others and then make the same choice that the others have made, independently of their own private information signals. Because it is usually sensible to do what other people are doing, the phenomenon is assumed to be the result of rational choice. Nevertheless, information cascades can sometimes lead to arbitrary or even erroneous decisions. The concept of information cascades is based on observational learning theory and was formally introduced in a 1992 article by Sushil Bikhchandani, David Hirshleifer, and Ivo Welch.[1] A less technical article was released by the authors in 1998.[2][3]

Classical theories
The main idea of Sigmund Freud’s crowd behavior theory is that people who are in a crowd act differently towards people from those who are thinking individually. The minds of the group would merge to form a way of thinking. Each member’s enthusiasm would be increased as a result, and one becomes less aware of the true nature of one’s actions.
Le Bon’s idea that crowds foster anonymity and sometimes generate emotion has become something of a cliché. Yet it has been contested by some critics, such as Clark McPhail who points out that some studies show that “the madding crowd” does not take on a life of its own, apart from the thoughts and intentions of members. Norris Johnson, after investigating a panic at a 1979 Who concert concluded that the crowd was composed of many small groups of people mostly trying to help each other. However, ultimately, leaders themselves identify themselves to an idea.

Theodor Adorno criticized the belief in a spontaneity of the masses: according to him, the masses were an artificial product of “administrated” modern life. The Ego of the bourgeois subject dissolved itself, giving way to the Id and the “de-psychologized” subject. Furthermore, the bond linking the masses to the leader through the spectacle, as fascism displayed in its public representations, is feigned:

“When the leaders become conscious of mass psychology and take it into their own hands, it ceases to exist in a certain sense. […] Just as little as people believe in the depth of their hearts that the Jews are the devil, do they completely believe in their leader. They do not really identify themselves with him but act this identification, perform their own enthusiasm, and thus participate in their leader’s performance. […] It is probably the suspicion of this fictitiousness of their own ‘group psychology’ which makes fascist crowds so merciless and unapproachable. If they would stop to reason for a second, the whole performance would go to pieces, and they would be left to panic.”[1]

Edward Bernays (1891–1995), nephew of psychoanalyst Sigmund Freud, was considered the father of the field of public relations. Bernays was one of the first to attempt to manipulate public opinion using the psychology of the subconscious. He felt this manipulation was necessary in society, which he felt was irrational and dangerous.

Convergence theory

Convergence theory holds that crowd behavior is not a product of the crowd itself, but is carried into the crowd by particular individuals. Thus, crowds amount to a convergence of like-minded individuals. In other words, while contagion theory states that crowds cause people to act in a certain way, convergence theory says the opposite: that people who wish to act in a certain way come together to form crowds. An example of convergence theory states that there is no homogeneous activity within a repetitive practice, sometimes observed when an immigrant population becomes common in a previously homogeneous area, and members of the existing community (apparently spontaneously) band together to threaten those trying to move into their neighborhoods. In such cases, convergence theorists contend, the crowd itself does not generate racial hatred or violence; rather, the hostility has been simmering for some time among many local people. A crowd then arises from convergence of people who oppose the presence of these neighbors. Convergence theory claims that crowd behavior as such is not irrational; rather, people in crowds express existing beliefs and values so that the mob reaction is the rational product of widespread popular feeling.

My money though is on Convergence Theory. While herd mentality works in many respects, the herd seems less actively motivating the outcome as it is reacting to external stimuli or a certain single entity moving them to “herd” in a specific direction. In Convergence Theory however, we have a more nuanced approach to understanding that like minded individuals congregate together socially and then as a crowd, act out on their collective consciousness. I believe that all of these behaviours and observations play a role in the macro-verse of Anonymous.

I also believe that at times, there are leaders who take up the issue that they feel needs redress and then start that herd moving toward a goal by beating the drum. Thus you have the chats and the boards where people take their digital soap boxes out and speak on the target, the reasons, and the method of attack. If the idea gets enough traction vis a vis the oration of the de facto leader at that time, then, a movement begins. Which brings me to the next topic.

Cells vs Spontaneous Headless Entities:

Anonymous has said many times and rather vociferously, that they are a headless organisation. I have always been of the opinion that no matter how many times they make that claim, it is functionally impossible. There will always be a core group of individuals that will be leading an operation. It is also the case that Anonymous is predicated on infrastructure that must be maintained. The IRC rooms, the servers, the web servers etc, all have people who operate them and manage them. In this respect, those persons would be the holders of the keys to the kingdom would they not? If a person in charge of such functions were to turn (or be turned) on the organisation, they could do massive damage to the org by being in charge of key assets.

I would further like to posit that for each “raiding party” as they may be called, would also have de facto leaders. An incidence of this can be seen in the WBC debacle in the response to WBC that claims 20 people had worked on the document. Those twenty people would nominally be leaders of that cell or operation by my accounts. So, to extend this further, for every operation there must be a division of roles and responsibilities doled out to function, it is just our nature to do this. If Anonymous were truly a chaotic system, nothing would get done effectively.

Cells however, also fit as an modus operandi for Anonymous. When I say cells I mean this from the perspective of cells in terrorism. Al Qaeda, as a functional operation has been winnowed down to the point of only being a titular entity in the jihadi movement. Due to the war on terror, AQ has shifted their operations from being rather linear to a cell mentality. All of the cells out there are pretty much self formed at present. The cells consist of like minded people who get subtle and not so subtle information/mandates from the AQ HQ via things like “Inspire Magazine” or the jihadist boards. The same can be applied to the structure of Anonymous. There are still those people who are making suggestions and or are outright perceived leaders, that can be singled out as targets of interest. This may not be the case every time, but, by using the information above on motivations and crowds, you can infer that it is the case more times than not.

Nick Re-Use as De-Anonymization:

Now, once you consider the motivations and the structures that are created or used, one must then consider how would someone go about trying to determine targets of interest. In the case of Anonymous this allusion had been made (poorly) by Aaron Barr. He went after certain parties that he claimed were in fact the core leaders of Anonymous. I can’t say that any of those names were in fact core leaders, however, I will say that the nicknames themselves could have been used to gain intelligence on said users and indeed prove their affiliation.

My premise is this;

1) The more unique a nick is the easier it is to track

2) Nickname re-use on other sites in tandem with uniqueness makes tracking and expanding on social connections easier

3) With the right foot-printing, one can potentially get enough information not only to see affiliations and actions, but also real names of individuals

So, if you are on the Anon boards and you re-use your nick, AND it is unique enough, I know that you can be tracked. Add to this the notion that you use your nick as an email address, then you are adding even more context for someone to search on and cogently put together patterns for recognition. So, the more data points, the more coherence to the picture if you see what I mean. By using tools like Maltego or even Palantir correctly, one can make those connections. In the hands of a trained analyst, the data can really show a person’s online personae and lead to enough data being revealed to have law enforcement breathing down your neck with warrants.

In looking at the Anon sites, one can see regular names turning up. Using Maltego on some of those names have also given returns that would be a good start on locating those people because the used the same nickname for other uses that are inherently insecure. Which is ironic as Anonymous is supposed to be just that. In fact, one can log onto their IRC session just as “anonymous18457” etc. I would do this every time I wanted to go onto their servers so as not to have too much residual data for someone to mine.

Aaron was right in that people are inherently lazy at times. We as a species are also ill equipped to delineate long term threats as opposed to near term. In most cases though, many of the Anon’s are in fact young and likely inured to the idea that the Internet is in fact an anonymous space.

It isn’t, unless you take pains to make it so.

Conclusion:

So there you have it. I have been pondering this for a little while now. I am sure there will be more as I think about it a bit. Aaron was a fool, but let me tell you, there are others out there in spook country who aren’t. These techniques are no secret nor are the theories of behaviour. These are common ideas that are used within the psyops realm and you, “anonymous” legions must take that into account. If the authorities cannot get the core members, they will eventually get round to going after the low hanging fruit.

However, with these techniques, even someone diligent about their anonymity can be defeated. Everyone makes mistakes…

Now that the file has been around a while, I have gotten around to reading all 61 pages of it and have the following analysis to blog about. After thinking about it a bit and doing some research from data culled from the file and the prose I have to say that yes, this is a slick attempt at recruitment for the teen-twenty somethings in the West. However, when I say slick, I only mean that it has some interesting graphics and methods to get kids to join their cause. On the whole though, it is an uneven piece of propaganda that does harbor some serious portents about things that I have mentioned here before.

They are adopting espionage tradecraft

They are splintering further down, advocating small independent action cells

They are using encrypted communications and advocating for more secure operations online

They have begun marketing to the “youth culture”

That same “youth culture” that idealists inhabit includes the “green movement” arguments

They have begun to adopt the more mainstream propaganda tools of major governments

I have to say, these guys are learning and they I swear that they have begun to read psyops texts as well as advertising age to get to where they think they need to be to win. This is something different, however, this is not as much of a threat to the nation as “they” would have you think it is per their posts and chatter after its release and subsequent hacking/infection by malware.

All they really need to do next is watch “Cool Hunters” on PBS and then apply some more of these tactics.. Then they could maybe sell.. Well, would any Western teen buy into the 72 virgins idea? I think not. So, they try to be slick and all Mad Men, but they fail because of what they are trying to sell…

Religious zealotry and a culture of loving death.

Which, I should think is quite the opposite of the Western mindset. Of course they are trying to get the whole “It’s an adventure” thing going with all the talk of going on site and fighting the good fight, but, it just will not ring true with the majority here in the US. Of course, there are always those who are willing to follow along. I think though, that most will have to be deranged or brain washed by the local Imam and cell mosque in order to really buy a ticket and bring a friend along for the ride. These folks also more than likely will be originally from other countries that they feel ties to which are re-enforced by this type of rhetoric.

So, here are some observations:

First article attempts to make a “green” argument for jihad and the removal of the US from the area. This is an alleged piece by OBL and claims that all of our problems with the world are oil based and this can be remedied by Jihad. In other words Allah will be loving it if you get the khafir out of the Muslim lands. Once that happens its all good.

This was quite interesting to see OBL getting all green. Somehow I doubt it was actually him doing the writing here. I just don’t see OBL wearing a Greenpeace shirt and protecting a baby harp seal.. Do you?

The articles vacillate between saying if you leave there will be peace to “all khafir must die” There are some wild mood swings in this pdf. Its almost like you were talking to someone under anger management therapy and you have to talk them off the ledge.

Mukhtar’s piece is oriented toward college age males with media board bandito imagery. He also advocates brining a friend and learning the language. This is the very “college” looking piece and is aimed at the twenty somethings. I would hazard a guess too, that the handwritten look is not just a type font, but in fact someone’s actual handwriting. Let the graphologists loose!

Abu Musab Al Suri’s piece advocates small cell/single jihadi terrorism. There is a long section of history and philosophy on their war thus far. They have learned that the agile force is the one that is hard to catch, hard to destroy, and has the most bang for their buck. Thus they are advocating making small bombs at home that could kill 10 people as a process to learning how to make bigger ones. All the while they are using guerrilla warfare tactics and philosophy to sell jihad everywhere. What it boils down to is this: Do this at home and breed fear. This is a dangerous idea because inevitably there will be people who buy into this. The bomb making section has been removed from the document for your and my protection.

Technologically, they are getting more savvy. The writers have given the would be jihadi’s pointers in internet security that include the use of encryption technologies (Al Majahden 2) which I have written about before and have a copy that has been pulled apart. They even go as far as to show how to authenticate that the program is official with hashing sigs. They also are advocating the use of proxies as well as being in internet cafes. Another surprise was a section on cell phone safety too AND the use of live distro’s on USB. It was inevitable as all this is out there on the hacking sites anyway.

In the final analysis, they also put in their pulic key as well as a series of emails to contact with with. Ironically, the actual posting o the pubkey gave me something to use in Maltego and it turned up some very interesting results! I will be chasing those down in the near future as well as more on the email addresses.

I wonder if there will be an issue #2….

I have to say though, that their market of young and impressionable individuals may be swayed by some of their arguments. They do lay them out logically (well their logic) and try to use the tools of the west on itself, but then you hit the sections of “kill all kafir!” and you have to go

“whoa, where was I?”

As a psy-op they have gotten off to an interesting start…

The full file sans bomb making plans can be downloaded HERE The sections omitted have graven images of Muhammad so YAY fatwa’s on me! Take a long swig of something and sit down to read the drivel.